IJSTE - International Journal of Science Technology & Engineering | Volume 2 | Issue 10 | April 2016

ISSN (online): 2349-784X

Community-Based Secure Information and

Resource Sharing In AWS Public Cloud
A.Joyce
Assistant professor
Department of Computer Science & Engineering
PSNA college of engineering and technology Dindigul

Abstract
An open cloud furnishes undertakings and associations with a protected and proficient environment to send their frameworks.
While associations and organizations advantage from moving to cloud stage, it is likely that comparable digital assaults will
happen to associations which have the same cloud stage. One approach to alleviate this danger is to share digital security data
among these associations. Sadly, prominent open cloud stage AWS is deficient with regards to an acknowledged access control
model for digital security data sharing. We propose an entrance control model for clients who use AWS stage as their framework
stage to safely share digital assault data. Our model empowers secure digital data sharing and coordinated efforts out in the open
cloud environment on a group premise.
Keywords: Cloud; Incident Response; Security Information Sharing; AWS
________________________________________________________________________________________________________
I.

INTRODUCTION

Safely and successfully sharing digital data over different associations and collaborating on digital security occurrences has been
a noteworthy examination subject lately. Digital security data sharing permits associations to share risk examination and episode
reaction data with synergistic groups shaped to handle both existing and potential digital dangers. With becoming advanced
digital assaults each year, guarding a solitary association all alone turns out to be progressively troublesome. All associations,
paying little respect to size, could be the objective of a digital assault putting its basic advanced resources at danger. A digital
break can bring about generous financial misfortune. Building up a general digital occurrence reaction system for associations
upgrades cross-association coordination, speeds up episode investigation and choice making process, distinguishes and
comprehend the assault and take fast reaction activities. A decent reaction can minimize the harm brought on by digital episodes
on profitable computerized resources. Cloud innovation puts numerous associations in a solitary cloud framework foundation,
giving extra open doors for digital foes to assault associations of comparable frameworks in a solitary cloud. Then again, by
ideals of sharing same cloud foundations it is more probable that associations will have comparable concerns in regards to
security and protection. In this paper, we explore models for secure data and assets partaking in Amazon Web Services (AWS)
[1] open cloud. An open cloud is one of the principle arrangement models of contemporary cloud stages, giving administrations
to the overall population [5]. AWS is an open cloud administration offered by Amazon. It gives organizations fast access to
adaptable and ease IT assets by means of administrations, for example, remote processing (Amazon EC2) and capacity (Amazon
S3). We propose an open cloud model to encourage the arrangement of groups containing associations willing to work together
with other group individuals in connection of digital occurrences. The objective is that associations in such a very much
characterized group can quickly share digital security data and assets. At the point when a digital occurrence happens, influenced
associations inside of the group can rapidly shape a moment digital episode reaction group with inner and outer security pros.
Security data and assets for the occurrence are partaken in the episode reaction group. A digital security administration is given
in people in general cloud, which empowers associations having cross-association joint efforts to speak and facilitate with
different associations amid life cycle of a digital occurrence. Associations impart their security information to different
individuals in the group. In this paper, we show an entrance control model for digital security data and asset sharing inside of an
open cloud for digital episodes reaction. This paper continues as takes after. We introduce some related work and foundation
learning in Section 2. We present AWS Access Control (AWSAC) model in Section 3. In Section 4, we characterize the
AWSAC with Secure Isolated Domain expansion (AWSACSID), which is our model for digital joint effort in AWS. We give
some authorization proposals in Section 5.
II. RELATED WORK
We have presented several access control models for secure information and resources sharing in a collaborative community of
organizations. We developed the OpenStack Access Control model with SID extension (OSAC-SID) [9], which is a basic model
for organizations sharing information in aOpenStack cloud platform [2]. We also designed the advanced Hierarchical OpenStack
Access Control model with SID extension (OSAC-HMT-SID) [10], which provides organizations additional cyber security
control with routine cyber information collection and processing, a community security committee and a public security forum in

All rights reserved by www.ijste.org

55

Community-Based Secure Information and Resource Sharing In AWS Public Cloud

(IJSTE/ Volume 2 / Issue 10 / 011)

the community. This paper is a continuation of this line of work, but in AWS public cloud. The concept we used to build these
models comes from Group-Centric Secure Information Sharing (g-SIS) [4], which introduces group-based information and
resources sharing. G-SIS model presents a method to control access among a group of users and objects, which is well suited to
the collaborative community scenario. In particular, g-SIS enables sharing using copies of original information, versus traditional
information and resource sharing approaches which give access to original information and resources [3], [6], [8] to enable
sharing. Sharing by copy gives additional security protection over the original information and resources, since access to the
copies can be provided in a tightly controlled environment. In this paper, we further explore information and resources sharing in
AWS public cloud. Compared to Open Stack, AWS public cloud provides very different mechanisms. AWS uses local roles and
policies while Open Stack uses global roles and service-owned police. AWS doesnt have hierarchical multi-tenancy while Open
Stack does.

Fig. 1: Aws Access Control

III. AWS ACCESS CONTROL MODEL (AWSAC)

We present the Amazon Web Service Access Control (AWSAC) model in this section. As a public cloud service provider, AWS
provides web services to its customers through AWS accounts. Customers who own an account have access to cloud resources.
They can create users and grant them access to cloud resources in the account. A user belongs to a unique account. Users can
also access resources in other accounts with federated permissions. We discuss AWS Access Control in two perspectives: within
a single account and across accounts. AWS offers a form of policy-based access control, wherein permissions are defined over
cloud resources in a policy file and policies are attached to entities such as users, groups, roles and resources. Figure 1 depicts
this model within a single account. In this and other figures, the arrows denote binary relations with the single arrowhead
indicating the one side and double arrowheads the many side. The dotted lines denote virtual relations between entities while the
solid lines denote explicit relations. Cross-account access will be discussed later in context of Figure 2. AWSAC has seven
components: Accounts (A), Users (U), Groups (G), Roles (R), Services (S), Object Types (OT), and Operations (OP). We also
introduce other entities such as policies and credentials, which are implicitly included in the model. For simplicity, we use the
term users to represents both users and groups in the rest of the paper.

Fig. 2: Sid Component

In AWS, users permissions over services and resources are defined in policy files. Policy files can be attached to a user, a group,
a role or a specific cloud resource. By attaching a policy to a user, a group or a role, users gain permissions to corresponding
cloud resources. The policy defines the actions the user will perform and cloud resources on which the actions will function.
Multiple permissions can be defined in one policy file. Multiple policy files can be attached to one entity. AWS achieves
permission assignment in a virtual manner via the policies attached to various relevant entities. Roles: Unlike roles in RBAC,
roles in AWS are mainly used for cross-account federation purpose. However, roles can also be used for internal users in an
account. Policy files can be attached to a role. Services refer to cloud services AWS provides to its customers. Cloud Service
Provider (CSP) leases cloud resources to its customers in terms of services. AWS provides customers with services such as

All rights reserved by www.ijste.org

56

Community-Based Secure Information and Resource Sharing In AWS Public Cloud

(IJSTE/ Volume 2 / Issue 10 / 011)

compute, storage, networking, administration, and database. Cross-account access: Users in one AWS account can access
services and resources in another AWS account through the action Assume Role with temporary security credentials, as shown in
Figure 2.
In this and other figures, the thick arrow represents an action taken by a user to assume a role. Users from account A access
services and resources in account B through roles created in account B, by being attached with policies of the action Assume
Role and a target resource defined. With the concepts described above, we formalize AWSAC model as follows.
Assume Role is an action allowing users to activate a role authorized in VUR. IV. AWSAC WITH SID EXTENSION
(AWSAC-SID) In this section, we present an access control model for AWS with the Secure Isolated Domain extension
(AWSACSID). We build the AWSAC-SID model on top of the AWSAC model to include Secure Isolated Domain (SID)
functionality [9]. We present the AWSAC-SID model so as to cover only the additional components added to the AWSAC
model.

Fig. 3:aw-sid model

Figure 3 shows the AWSAC-SID model, where we ignore groups for simplicity. In the rest of the paper, group is used to
represent a group of organizations, rather than the groups component of AWSAC. In our discussion, we assume that a user
belongs to only one organization in the public cloud. For simplicity, we also assume one organization has one AWS account. The
additional components included in AWSAC-SID model are: Secure Isolated Domain (SID), Secure Isolated Project (SIP), Expert
Users (EU), Core Project (CP), and Open Project (OP). These are described below.
Secure Isolated Domain (SID): Secure Isolated Domain [9] is a special domain, holding security information and resources for
cross-organizational security collaborations. SID provides an administrative boundary for cyber security Secure Isolated Domain
(SID) Core Project (CP) Open Project (OP) Secure Isolated Project SIP-1 Secure Isolated Project SIP-n Figure 4. SID
Composition information and resource collection and analysis, and a secure isolated environment for cyber security
collaborations in a community of organizations. SID holds all Secure Isolated Projects (SIPs) designed for cyber incident
response and security collaboration within this community of organizations. SID also holds a Core Project (CP) and an Open
Project (OP), as shown in Figure 4. Secure Isolated Project (SIP): Secure Isolated Project [9] is a special project with constraints
over its user membership. It is used to collect, store and analyze cyber security information for specific security reasons. A SIP
provides a controlled environment for a group of organizations within the community to collaborate and coordinate on cyber
incidents and other security issues. Core Project (CP): Core Project is a shared project holding cyber security committee [7] for
the community of organizations. Each organization in the community has at least one representative security user in the
committee. Open Project (OP): Open Project is an open shared project where users from the community of organizations share
common cyber security information and resources [7].
The creation of a SIP succeeds based on agreement among the subset of the community of organizations. Each organization in
the SIP has equal limited administrative power, which represented by a role in SIPadmin. The role gives the SIP admin users the
permission to add and remove other users from their home account to the SIP. Organizations set up a SIP by sending the SIP
creation request to the SID manager account. Delete a SIP: After the collaboration is finished, a SIP needs to be securely deleted.
The delete command is issued by the same set of the security admin users (subuSet) who issue the SIP creation. All information
and resources are securely deleted in the SIP. All users assigned to the SIP are removed from it. Add/remove a user to/from a
Core Project: Core Project admin users are the set of security administrative users (uSet) from the community of organizations.
These limited administrative users can add/remove users of their organizations to/from Core Project. All the users added to the
Core Project are existing users from an organizations account. The limited administrative users dont have the permission to
create new users. They can only add existing users to the Core Project. When users are removed from the Core Project, they will
lose the access to corresponding information and resources in the Core Project, regardless of the ownership of the piece of
information in the past. Add/remove a user to/from a SIP: Users from subset who are assigned with role SIP admin has the
limited administrative power in the SIP. They can add/remove users of their home accounts to/from the corresponding SIP due to
the need of collaboration. Users will lose access to information and resources after they are removed from the SIP.
Administrative users in a SIP can see all users added from the community of organizations, as well as information and resources
they bring in, which means there is no hidden users, information and resources in a SIP. Add/remove a user to an Open Project:
Every user in the collaborative community of organizations is allowed to join the Open Project. Users in Open Project have equal
but limited permissions.

All rights reserved by www.ijste.org

57

Community-Based Secure Information and Resource Sharing In AWS Public Cloud

(IJSTE/ Volume 2 / Issue 10 / 011)

IV. CONCLUSION AND FUTURE WORK

AWS is a prominent open cloud stage which gives significant comfort to undertakings and associations to encourage their
business. Data and assets partaking in digital security cooperation openly cloud is a vital point. The model we characterized in
this paper is one approach to accomplish such partaking in AWS. We are likewise inspired by investigating different alternatives
by and large. For the future work, we might want to investigate other model choices on other cloud stages. We might likewise
want to research neighborhood parts in the model, subsequent to AWS gives fine-grained approach definition which offers
degree to characterize fine-grained nearby parts in the model. At long last, it is significant to look at all the models in various
cloud stages particularly the prevailing exclusive ones.
REFERENCES
[1]
[2]
[3]
[4]

http://aws.amazon.com/.
https://www.openstack.org/.
E. Cohen, R. K. Thomas, W. Winsborough, and D. Shands. Models for coalition-based access control (CBAC). In Proc. 7th ACM SACMAT, 2002
R. Krishnan, R. Sandhu, J. Niu, and W. Winsborough. Towards a framework for group-centric secure collaboration. In 5th IEEE CollaborateCom, pages 1
10, 2009.
[5] P. Mell and T. Grance. The NIST definition of cloud computing. NIST Sp. Pub. 800-145, Sept. 2011.
[6] L. Pearlman, V. Welch, I. Foster, C. Kesselman, and S. Tuecke. A community authorization service for group collaboration. In 3rd IEEE International
Workshop on Policies for Distributed Systems and Networks, 2002.
[7] R. Sandhu, K. Z. Bijon, X. Jin, and R. Krishnan. RTbased administrative models for community cyber security information sharing. In 7th IEEE
CollaborateCom, 2011.
[8] D. Shands, R. Yee, J. Jacobs, and E. J. Sebes. Secure virtual enclaves: Supporting coalition use of distributed application technologies. In IEEE DARPA
Information Survivability Conference and Exposition, volume 1, pages 335350, 2000.
[9] Y. Zhang, R. Krishnan, and R. Sandhu. Secure information and resource sharing in cloud infrastructure as a service. In ACM WISCS, pages 8190, 2014.
[10] Y. Zhang, F. Patwa, R. Sandhu, and B. Tang. Hierarchical secure information and resource sharing in openstack community cloud. In IEEE Conference on
Information Reuse and Integration (IRI), 2015.

All rights reserved by www.ijste.org

58